IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. XX, NO. Y, MONTH XX 



1 



Synthesis of Binary fc-Stage Machines 
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Abstract — An algorithm for constructing a shortest binary k- 
stage machine generating a given binary sequence is presented. 
This algorithm can be considered as an extension of Berlekamp- 
Massey algorithm to the non-linear case. 

Index Terms — Berlekamp-Massey algorithm, feedback shift 
register, nonlinear complexity 



I. Introduction 

In his seminal book HI Golomb described an extended 
version of the traditional feedback shift register, shown in 
Figure Q] He called such a device binary k-stage machine. 
Each stage i £ {0, 1, . . . , k — 1} has its own next state function 
/,. Both feedback and feedforward connections are allowed. 

In this paper, we address the problem of constructing a 
binary fc-stage machine with the minimum k generating a given 
binary sequence. We present a synthesis algorithm and derive 
the exact lower bound on k. Our work can be considered as 
an extension of Berlekamp-Massey algorithm 13 to the non- 
linear case. 

For the traditional Non-Linear Feedback Shift Registers 
(NLFSRs), the problem of finding a shortest NLFSR generat- 
ing a given binary sequence has been considered in 0, 0, 
and 0. 

II. Preliminaries 

A binary sequence A of length n is an n-tuple 
(ao,ai, . . . ,a n -\) where a,- e {0, 1} for i e {0, 1,. . .,n— 1}. The 
Hamming weight of a binary sequence A, denoted by wt(A), 
is the number of Is in A. A binary sequence A of length n is 
balanced if wt(A) = n — wt(A). 

For a Boolean function / : {0, 1}" — > {0, 1}, the support of 
/ is defined by 

% = {. ie {0,l}»:/W = l}. 

The algebraic normal form (ANF) of a Boolean function / 
is a polynomial in GF(2) of type 



f(xo,...,x„-i) 



2"-l 
/=0 



c n-l> 



where r, S {0, 1} and (z'„_i . . . z'iz'o) is the binary expansion of 
i with z'o being the least significant bit. 

The gate complexity Q (or circuit-size complexity) of a 
Boolean function / is the smallest number of gates in any 
acyclic circuit computing /, given that the gates are restricted 
to have at most two inputs. 

A state of a binary £-stage machine is a vector of values of 
its k stages. 

E. Dubrova is with the Royal Institute of Technology (KTH), Stockholm, 
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Fig. 1. A binary k- stage machine. 



III. Synthesis Algorithm 

The algorithm presented in this section exploits the property 
of binary £-stage machines that any binary £-tuple can be the 
next state of a given current state. Note that, in a traditional 
NLFSR in the Fibonacci configuration Q~|, the next state 
overlaps with a current state in k — 1 positions. The Galois 
configuration of NLFSRs, introduced in 0, is more flexible. 
However, since feedforward connections are not allowed in 
NLFSRs, the set of possible next states is still limited. 

First, we show how to construct a sequence of integers 
whose least significant bits follow a given aperiodic binary 
sequence of length n. 

Let B = (0,2,4,...) be an infinite vector of all even non- 
negative integers starting from 0. Let C= (1,3,5,...) be an 
infinite vector of all odd positive integers starting from 1 . We 
denote by b[ and c, be the ith elements of B and C, respectively, 
for z'e {0,1,2...}. 

Let No~0 and Ni = 0. Given an aperiodic binary sequence 
A of length n, for every i from to we repeat the 

following: 

If at = 0, then assign s, = £>aj and increment iVo by one. 
Otherwise, assign s, = cjvj and increment N\ by one. 

The algorithm described above is summarized as Algo- 
rithm Q] Its worst-case time complexity is 0(n). 

Let S= (so ,si, ... ,s n -\ ) be a sequence constructed by the 
AlgorithmQ] Each integer s, £ S can be represented as a binary 
expansion (%_ 1: %_ 2 ,. ■■,Si ) 6 {0, l} k where k is the number 
of bits needed to represent the largest integer of S and s, is the 
least significant bit of the expansion. We interpret each fc-tuple 
(si k _ l ,Sj k 2 , . . . ,Si ) as a state of a binary A:-stage machine. By 
construction, s, = a,- for all i 6 {0, 1,..., n — 1}. 

Next, we define a mapping s, H> s,-+i, for all i £ {0, 1 — 
1}, where "+" is modulo «. This mapping assigns to be 
the next state of a current state s,- of a binary £-stage machine. 
Each of 2 k — n remaining states of the binary fc-stage machine 
are mapped into the all-0 state. This implies that they do not 
contribute any Is to the supports of the next state functions. 
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Algorithm 1 Construct a sequence of non-negative integers 
whose least significant bits follow an aperiodic binary se- 
quence A = (ao,a\, . . . ,a„_i). 

1: B = (0,2,4, . . .); /*even non-negative integers*/ 

2: C = (1,3,5,...); /*odd positive integers*/ 

3: No := 0; 

4: Ni := 0; 

5: for every i from to n — 1 do 
6: if a, = then 

7: Sj := bN \ l*bi is the ith element of B */ 
8: N :=N Q + 1; 
9: else 

10: Sj := c^; /*c; is the zth element of C */ 
li: Ni:=Ni + l; 
12: end if 
13: end for 

14: Return S:= (so,s\,...,s„-i); 



Algorithm 2 Construct the next state functions for a binary 
A:-stage machine which follows the sequence of states S = 
(sq,si,...,s„-i), Sj 6 {0,1} A '. 

1 : for every j from to k — 1 do 

2: Q. f . = 0; 

3: end for 

4: for every i from to n — 1 do 
5: for every j from to k — 1 do 

6: /*Each Si 6 S is of type (s ik l ,s ik _ 2 , . . . ,s,- ) £ {0,1}**/ 
7: if = 1 then 

8: a fj = a fj U ,5i t _ 2 , . . . ,*;„)}; 

9: end if 

10: end for 

11: end for 

12: Return (/o,/i, • • • ,A-i); 



The supports of the next state functions implementing the 
resulting mapping are derived as follows. Initially £lf. =0, for 
all j 6 {0, 1, . . . ,k— 1}. For every ; from to n — 1, we repeat 
the following: 

For every j from to fc— 1: If = 1, where "+" is 

modulo n, then 

tyj = ^fj U { (%- 1 > 5 '*-2 . • • • » *i )}' 

The algorithm described above is summarized as Algo- 
rithm [2] Its worst-case time complexity is 0{n-k). 

Theorem 1: The algorithm presented in this section con- 
structs a binary £-stage machine generating a finite aperiodic 
binary sequence A where k is given by 

k = max(\log 2 wt(A)], \log 2 (n-wt(A))]) + l, (1) 

where n is the length of A. 

Proof: When the Algorithm Q] terminates, Ni = wt(A). Since A 
is aperiodic, we have < wt(A) <n. Therefore, the largest odd 
integer used from C is 2wt(A) — 1. The binary expansion of 
this odd integer has \log2Wt(A)~\ + 1 bits. Similarly, when the 
Algorithm Q] terminates, we have A^o = n — wt (A). The largest 
even integer used from B is 2 (ft — wt(A)) — 2. The binary 
expansion of this even integer has \log%{n — wt (A))] + 1 bits. 

□ 

The following property trivially follows from the Theo- 
rem Q] 

Lemma 1: If A is balanced, then ([T]i reduces to 
k = \l0g2n] . 

As an example, consider the following sequence of length 
n=l9 taken from the Example V.l in J6j: 

A = (0011011100101110110). 

It was shown in [6 | that the shortest NLFSR generating this 
sequence has 7 stages. Below we show that the same sequence 
can be generated using a binary machine with 5 stages. This 
comes as no surprise, since a binary machine is more general 



than an NLFSR. Using the Algorithm Q] we construct the 
following sequence of integers whose least significant bits 
follow A: 

S= (0,2,1,3,4,5,7,9,6,8,11,10,13,15,17,12,19,21,14). 

By applying the Algorithm |2] to S, we get the following 
supports for the next state functions: 

Q /4 = {(01100), (01111), (10011)} 

Q /3 = {(00110), (00111), (01000), (01010), (01011), 

(01101), (10001), (10101)} 
Q /2 = {(00011), (00100), (00101), (01001), (01010), 

(01 101), (10001), (10011), (10101)} 

%j = {(00000), (00001), (00101), 01000), 01001), 
(01011), (01 100), (01101), (10101)} 

% = {(00001), (00010), (00100), (00101), (00111), 
(01000), (01010), (01 100), (01101), (01 111), 
(10011)} 

These supports have the following ANF expressions: 

/4 = XQXiX?, ©^1^2X3 ®X\X4 ©X0X1X4 ©X1X2X4 ©XoX 1X2X4 

©X1X3X4 ©X0X1X2X3X4 
/3 = X0X2 ©X[X2 ©XoX[X2 ©X0X3 ©X1X3 ©X2X3 ©X0X2X3 

© X1X2X3 © X4 © X0X4 © X1X4 © X0X1X4 © X0X2X4 © X1X2X4 

© X0X1X2X4 © X3X4 © X0X1X3X4 © X2X3X4 © X0X2X3X4 

©X1X2X3X4 

fl = XI ©X2 ©X()X2 ffiX0X[X2 ©X3 ©X2X3 ©X4 ©XoX4 ©X[X4 
© X2X4 © X0X2X4 © X1X2X4 © X0X3X4 © X2X3X4 © X1X2X3X4 
©X0X1X2X3X4 

fl = 1 ®X\ ©X2©X0X2 ©X[X2 ©X0X1X2 ©X0X1X3 ©X2X3 

©X0X2X3 ©X1X2X3 ©X4 ©X1X4 ©X2X4 ©X1X2X4 ©X0X1X3X4 
© X2X3X4 © X1X2X3X4 © X0X1X2X3X4 

/O = Xo ffiXj ©X2 ©X0X2 ©X0X1X2 ©X3 ©X[X3 ©X2X3 ©X1X2X3 
© X0X4 © X1X4 © X0X1X4 © X2X4 © X0X2X4 © X3X4 © X1X3X4 
©X0X1X3X4 ©X2X3X4 ©X1X2X3X4 ©X0X1X2X3X4 

As we can see, the resulting next state functions have a 
substantial gate complexity. We can potentially reduce the gate 
complexity as follows: 
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1) By using a different sequence of states to generate A. 
In general, any permutation of even integers from the 
set {0,2,4, ... ,2(n — wt (A)) — 2} and any permutation 
of odd integers from the set {1,3,5, . . . ,2wt (A) — 1} can 
be used in the Algorithm [T] instead of vectors B and C, 
respectively, to construct a sequence of integers whose 
least significant bits follow A. 

2) By mapping the remaining 2 k — n states of the binary 
fc-stage machine in a different way. For example, rather 
than being mapped into the all-0 state, these states can 
form another cycle of states. The resulting binary fc-stage 
machine will be branchless. 

In general, the problem of constructing a binary £-stage 
machine with the minimum gate complexity of next state 
functions is very hard. It is unlikely that there exists an exact 
algorithm for solving this problem which is feasible for large 

11. 



[3] C. J. A. Jansen, "The maximum order complexity of sequence ensembles," 

Lecture Notes in Computer Science, vol. 547, pp. 153-159, 1991. Adv. 

Cryptology-Eupocrypt' 1991, Berlin, Germany. 
[4] P. Rizomiliotis and N. Kalouptsidis, "Results on the nonlinear span of 

binary sequences," IEEE Transactions on Information Theory, vol. 51, 

no. 4, pp. 1555-5634, 2005. 
[5] R Rizomiliotis, N. Kolokotronis, and N. Kalouptsidis, "On the quadratic 

span of binary sequences," IEEE Transactions on Information Theory, 

vol. 51, no. 5, pp. 1840-1848, 2005. 
[6] K. Limniotis, N. Kolokotronis, and N. Kalouptsidis, "On the nonlinear 

complexity and Lempel-Ziv complexity of finite length sequences," IEEE 

Transactions on Information Theory, vol. 53, no. 11, pp. 4293^1302, 

2007. 

[7] J. Massey, "The difficulty with difficulty." EUROCRYPT '96 IACR 

Distinguished Lecture. 
[8] E. Dubrova, "A transformation from the Fibonacci to the Galois NLFSRs," 

IEEE Transactions on Information Theory, vol. 55, pp. 5263-5271, 

November 2009. 



IV. Bound on the Size 

The theorem below shows that the bound given by (Q]) is 
exact. 

Theorem 2: Given a finite aperiodic binary sequence A of 
length n, any binary machine which can generate A has at least 
k stages, where k is given by ([T). 

Proof: The existence of a binary machine with k stages which 
can generate A follows from the Theorem Q] It remains to 
prove that no binary fc'-stage machine with k 1 <k can generate 
A. 

Assume that k is given by (fl} and that there exists a binary 
machine with k stages, k < k, which can generate the same 
sequence A. 

Let wt(A) > n/2. One one hand, from ([1), we have k = 
\log2Wt(A)~\ + 1. On the other hand, to be able to generate an 
aperiodic binary sequence A, a binary fc'-stage machine must 
have at least wt{A) distinct states with the least significant bit 
1. Therefore, it must have at least k 1 > \log2Wt(A)~\ + 1 stages. 
This contradict the assumption k < k. 

In a similar way, we can come to a contradiction for the case 
wf(A) < n/2. Therefore, no binary machine with less than k 
stages can generate A. 



V. Conclusion 

We presented an algorithm for constructing a shortest binary 
A:-stage machine generating a given binary sequence. Since bi- 
nary £-stage machines are probably the most general extension 
of NLFSRs, the lower bound given by the Theorem [2] might 
be useful for estimating non-linear complexity of sequences. 

Future work includes finding a heuristic approach for choos- 
ing a sequence of states which minimizes the gate complexity 
of the next state functions. 
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